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^"j ■ In Huang-Raskind 2009 , the authors proved that the discrete logarithm problem in 

' a prime finite field is random polynomial time equivalent to computing the ramification 

signature of a real quadratic field. In this paper, we do this for a quadratic extension 
of a prime field. 
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1 Introduction 

rn 

Let p be a big prime number and E be an elliptic curve over F p . The computational com- 
plexity of the discrete logarithm problem in F* or in E(¥ p ) is used in public-key encryption 
schemes. Estimating the greatest lower bound in the complexity of solving the discrete 
logarithm problem is an important and difficult problem. 

In the c ase of F* , the best algorithm known so far is the number field sieve. For ex- 
ample, see [Gor don 1993] and [Schirokauer 1993] , It solves the discrete logarithm prob- 
lem in F^ in a conjectural running time L p (^,c) = exp((c + o(l))(logp) 1 / 3 (log logp) 2 / 3 )), 
with c = (64/9) 1 / 3 . In the case of E(¥ p ), the problem can be reduced to the discrete 
logarithm problem in F* using the MOV attack f |MQV 1993) V where q — p k for some 
integer k. The discrete l ogarithm problem in F* ca n be solved using the function field 
sieve ( [Adleman 1994] ; Adleman and Huang 1999] ) or a modified number field sieve ( 



[Schirokauer 2000] ). Let e be the real number such that k = (logq/ loglogg) 6 . Then, the 
running time of the function field sieve is conjecturally equal to L g (max{-|, 1 — e},0(l)), 
and that of the modified number field sieve is conjecturally equal to L g (max{i, ^j 2 }, 0(1)). 

Alternatively, we can estimate the greatest lower bound by studying an equivalent prob- 
lem of a discrete logarithm problem. In |Huang-Raskind 2009] , the authors lifted the discrete 
logarithm problem in F^ to a real quadratic field. They defined the "ramification signature" 
for the real quadratic field and proved that the discrete logarithm problem in F* is random 
polynomial time equivalent to computing the ramification signature of the real quadratic 
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field under two heuristic assumptions, namely, an assumption on the class number and an 
assumption on a global unit of the real quadratic field. 

In this paper, we lift the discrete logarithm problem in F* 2 to a real quadratic field. 
We then define the "ramification signature" for the real quadratic field and prove that the 
discrete logarithm problem in F* 2 is random polynomial time equivalent to computing the 
ramification signature of the real quadratic field, with one heuristic assumptions on the class 
number. We also show that in the proof of the equivalence in Huang-Raskind 2009 one 
can remove the assumption on the global unit. More precisely, we give an improvement ( 
Step 4 in section 3.2.b in the text ) on the construction of real quadratic field and global 



unit that makes the condition in proposition 2 in section 4.1 in Huang-Raskind 2009 be 
satisfied automatically. 

In section 2, we define the ramification signature for a real quadratic field. In section 3, 
we prove the equivalence of the discrete logarithm problem in F* 2 and the computation of a 
ramification signature of a real quadratic field. Consequently, we also prove the equivalence 
in [Huang- Raskind ~2009| without the assumption on the global unit. 



2 Signature 

To define the ramification signature for a real quadratic field, we need a proposition. 

Proposition 2.1. Let I and p be two distinct odd prime numbers, and K = Q(-\AD) be a 
real quadratic field that splits over I and inerts over p. We denote the ring of integers in K 
by Ak, the points over I by u and it, and the point over p in SpecAx by v. Let I u ,Iu, and 
I v be the prime ideals of Ak corresponding to u,u, and v, respectively. Let Z := {u,v}, and 
U := SpecApc \ Z. Let A u and A v be the completions of Ak at u and v respectively. Denote 

■ 1/ : nr.cv;, . 

Suppose that p 2 — 1 is divisible by I, the class number of K is not divisible by I, and there 
is a unit a G A K , such that 



7^ 1 mod I , a 1 ^ 1 mod L v 



Then, we have the following: 
a. There is an exact sequence 



1 



' AX I A Xl (p. AX I A : 



a 3 



TT 1 (U) ab /TT 1 {U) ab 
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(2.2.1) 



b. dimz/;z TTi(U) ab /iii(U) ab = 1, where the tti(U) is the etale fundamental group of U 
(see, for example, 'Milne 19801); 

c. For any nontrivial character x ■ iri(U) — ► Ijll, \ is ramified at both u and v. 
Proof. 

a. Let us consider the following commutative diagram: 
1 ^1 ^K x 



{±1}®*®AZ/A* 1 ®AZ/A 



I xi 



{±1}W®KZ/A?®KZ/A 



\Xl , 



Div(K) 
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Through the snake lemma and class field theory, we have the following exact sequence: 

A* > {±1}® 2 8 AHAl 1 © A* /A* 1 > 7ri(I7) a6 //m(i4^' © A* 1 ) > Cl{K) > 1 

where the term Im(A* 1 A* 1 ) is the image of A* 1 A* 1 under the reciprocity map 
K$ © K* — ► Gal(^ 6 /^„) Gal(^f /^) — > 7n(C/) ab . 

As the class number of K is assumed non-divisible by /, a diagram chasing shows an 
exact sequence 

a* /a* 1 — ► 4 x M M x! © ^ X M*' — ► *i(U) ab /*i(U) abl — ► i- 

The hypothesis on the existence of the global unit shows that the left morphism is nonzero. 
Thus it is injective, since A^/A^ is an Z/IZ- linear space of dimension 1. Therefore, we 
obtain the exact sequence (2.2.1). 

b. The complete discrete valuation rings A u and A v are isomorphic to Z; and W(¥ p 2) 
( the witt ring over F p 2) respectively. Therefore, the middle term in the sequence (2.2.1) is 
isomorphic to (Z// 2 Z) x /(Z/l 2 Z) xl © F* 2 /F*J, and is of Z/ZZ-dimension 2. Since we know 

that A£ /Aft 1 is a Z/ZZ-linear space of dimension 1, the right term in (2.2.1) has Z/IZ- 
dimension 1. 

c. We consider the dual sequence 

^Hom(m{U) ab ,Z/lZ) l*Hom(A*/A* 1 © A$/A$ l ,Z/lZ) Hom(A*/A* 1 , Z/IZ) >0 

(2.2.2) 

of (2.2.1). Denote the image of a under the morphism i by (a u ,a v ). For any x ^ € 
Hom{-K 1 {U) ab ,Z/lZ), denote the image of \ under the morphism j* by (Xu,Xv), we then 
have 

(a u , X u) + (a v ,Xv)=0 (2.2.3) 
by (2.2.2). Therefore, the following four conditions are equivalent: 

(i) . x i s ramified at u, 

(ii) . (a u ,Xu) ^ 0, 

(iii) . (a v ,Xv) ^ 0, 

(iv) . x i s ramified at v. 

The map j* is injective, indicating that there is not non-trivial character \ : ~K\(U) — > 
Z/IZ such that it is unramificd at both points u and v. Therefore, for any non-trivial 
X € Hom(TTi(U),Z/lZ), x must be ramified at both u and v. ■ 

The following corollary is proved in the proof of Proposition 2.1c. 

Corollary 2.2. Under the conditions in proposition 2.1, for any non-trivial character x '■ 
wi(U) — > Z/IZ, we have the following: 

(i) (et u ,Xu) ^ 0, 

(ii) (a v ,Xv) + 0, 

(iii) (a u ,Xu) + (a v ,Xv) = 0. 
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Through the natural isomorphism A* /A* 1 = (Z/l 2 Z) x / (Z/l 2 Z) xl , A* /A* 1 is generated 
by 1 + I. For any generator g of F* 2 /F* 2 , we regard it as a generator of A* /A* 1 through 
the natural isomorphism A* j A* 1 = F* 2 /F* 2 . Clearly, (1 + Z,x«) _1 (fiSXu) is independent of 
the choice of x 7^ G Hom(ni(U),Z/lZ). We call this term the ramification signature 
of U with respect to g. 

3 Signature computation problem and discrete logarithm 
problem in F* 2 

In this section, we show that the discrete logarithm problem in F* 2 is random polynomial 
time equivalent to computing the ramification signature of some real quadratic field. 

3.1 Reduction from signature computation problem to discrete log- 
arithm problem 

Suppose given p, I, K = Q(V r D), U, u, u, v, a, g, as in Proposition 2.1. Then the computation 
of the ramification signature of U with respect to g can be reduced to a discrete logarithm 
problem in F p 2 as follows by using Corollary 2.2. 

Let us consider the following commutative diagram: 

A x - A- Z* Z x /Zf 



{Z/l 2 Z) x ^ (Z/l 2 Z) x /(Z/l 2 Z) xl . 

If the image in (Z/l 2 Z) x of a equals £(1 + l) v , where £ is an(7 — l)-st root of unity, then 
its image in (Z/l 2 Z) x /(Z/l 2 Z) xl will be equal to (1 + l) v . We can easily compute £, y and 
consequently the first term in (2.2.3) (a u , Xu) = 2/(1 + h Xv)- 

For the second term in (2.2.3), if the image of a under the morphism A^ — > A* /A xl = 
F p x 2 /F* 2 ' is a = g m , then (a v , Xv ) = m(g, X v)- 

By Corollary 2.2, if we can compute m from a — g m , then we can compute 

(l + l,Xu)~ 1 {9,Xv) = -m- 1 y ez/iz. 

3.2 Reduction from discrete logarithm problem to signature com- 
putation problem 

Let g be a generator of F* 2 , a € F* 2 and I be a prime dividing p 2 — 1. The computation of 
discrete logarithm log g a mod / can then be reduced to computing the ramification signature 
of a real quadratic field as follows, by using Corollary 2.2. 

Let m = log g a mod I. If a <G F* 2 Z , then we have m = mod I. Thus we can suppose 

a. If I \p — 1, we must have l\p + 1. Let a := a p_1 , g := g v ~ x . We then have 
a = g m , Nm(a) = Nm(g)=l, a $ F x 2 '. 
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We take t € ¥ p such that (|) = -1. We have F p 2 = ¥(y/i). We put a = a + b a y/t, where 
ao, &o £ F p . We can assume 60 7^ 0; otherwise, a 2 = 1 and m = or p + 1. 

We have a 2 , — 6gi = Nm(a) = 1 mod p. Hence, for any k E Z, the following holds: 

(a + fcp) 2 -l = a 2 ,- 1 = 6gi = t = _ J 
P P P P 

We choose € {0, 1, • • • , I — 1} randomly, until (i£°+tel_^I) — 1. Lemma 3.1 below for c = 1 
shows that we can obtain such k with probability about 50% each time. 



If we find such k, let a\ := a$ + kp e Z x . We have \J a\ — 1 e because — ) = 1. 
If {a% + \/ a\ — 1)' _1 ^ 1 mod / 2 , we know also (ax — \/ d\ — 1)' _1 ^ 1 mod I 2 , let 2; = ax. 
Else, let x = ax + pi. Lemma 3.2 below for c = 1 shows that (x + \J x 2 — ^ 1 mod I 2 
and (21 — V^ 2 — 1) /_1 ^ 1 mod I 2 . 



Let if := Q(vx 2 — 1). Then, K inerts over p and splits over I because ( x ) = — 1, 
and ( z r 1 ) = 1. Let v G Spec Ax be the point over p and u € Spec Ax be a point over 
L We have \Jx 2 — 1 = i&oV* m °d w, because a; 2 — 1 = a 2 — 1 = b\t mod v. Let 
a := x + yjx 2 — 1 € Ar-, if v 7 ^ 2 1 = ±&oV& mod u; or a := x — V^ 2 1 G -Air, if else. 
We then have a' -1 ^ 1 mod I 2 and 



»o + \/ — 1 — a ° + bo^/t — a = g m mod v 



implying that a ' ^ 1 mod J„ as 5 ^ F x 2 ■ As a := x + Vx 2 — 1 € Ax and Nm(a) — 
x 2 — (x 2 — 1) = 1, we have a G A K . 

Let {/ := SpecAx \ {u, v}. We assume that I j /i^, which is likely to be satisfied. 
Proposition 2.1 then shows (a u ,x) + = 0, for any \ 7^ E Hom(wx{U),Z/lZ). Let 

(1 + l) v be the image of a under the morphism 

A K — > A* = Z* — -> (Z/l 2 Z) x /{Z/l 2 Z) xl . 

For the first term in (2.2.3), we have (a u ,x) = J/(l + ',x)- For the second term in (2.2.3), 
we have (a v ,x) = m (g,X)- By Corollary 2.2.(iii), we obtain 

3/(1 + + ™(.9,x) = 0. 

Therefore, if we can compute the ramification signature (\, 1 + Z) _1 (x, g) of U with respect 
to g, then we can compute m = —y(x, 1 + I) \X->9}- 

b. If l\p — 1, we have Nm(a) = Nm(g) m as elements in ¥ p . The construction in 
|Huan g-Raskin d~2009| gives us a real quadratic field and a global unit in the field that en- 
able us to reduce the computation of m satisfying Nm(a) = Nm(g) m to the signature com- 
putation problem of the real quadratic field using the algorithm in |Huang-Raskind 2009 . 
However, the construction requires some conditions on the class number of the field and 



the unit to be satisfied ( Huang- Raskind 2009 ; Section 4.2). We give an improvement in 



Step 4 below on the construction recalled below. With the improvement, one of the con- 
dition (the condition 2 in Proposition 2 of section 4.1 in |Huan g-Raskin d~2009| ) is satisfied 
automatically. 

Let a — g m in F* where m is to be computed. If a~ ~ = 1, then m = ( mod I). 

p — i 

Thus suppose a~i~ ^ 1. We will lift 5 to some unit a of a real quadratic field K such that 
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a = a mod v for some place v of K over p, a 1 1 7^ 1 mod I 2 , and a 1 1 7^ 1 mod I 2 / for 
the two places u and v! of if over i. We do it as follows: 

1. Compute b e F* such that ab = 1 in F* . 

2. Put c := 2±l, d := Note that c 2 - d 2 = 1 and a = c + d. We can assume d ^ 0; 
otherwise, a 2 = 1 and m — or p — 1. 

3. Lift d to an integer. We have (±±<f.) = (^) = 1. We choose k € {0,1,...,/ - 1} 

randomly until ^ ( d + fc rt + 1 ) _ Lemma 3.1 below for c = — 1 shows that we can obtain 
such fc with probability of about 50% each time. 

4. If we find such k, let di := d + kp e Z* . We may take ^ d\ + 1 € Z* since (^f^) = 1. 
If (d\ + ^Jd^ + l) 1 ^ 1 = 1 mod I 2 , let x = d\\ otherwise let x = d\ +pl. Lemma 3.2 below 
for c = -1 shows that (x + V ' x 2 + l) 1 ^ 1 ^ 1 mod I 2 , (x - yjx 2 + 1)' _1 ^ 1 mod / 2 . 

5. Let K := Q(Vx 2 + 1), a := x + Vx 2 + 1 € K - Note that Nm(a) = 1, so a is a unit 
of K. 



6. Let v be the point in SpecOx responding to the prime ideal {p, ^/x 2 — 1 — c), u' be 
the point in SpecOx responding to the prime ideal (p, \J x 2 — 1 + c), u and v! be the points 
in SpecOx over i. Thus, a = d + c = a mod v, a = d — c = —b mod v' , a 1 ^ 1 7^ 1 
mod I 2 and a' -1 7^ 1 mod I 2 , ■ 

In [Huang- Raskind 2009 , they proved the reduction from a signature computation to a 
discrete logarithm problem in F p without any heuristic assumption. Therefore, we conclude 
that the discrete logarithm problems in ¥ p 2 and F p are random polynomial time equivalent 
to some signature computation problem with only one assumption, namely, that on the class 
number. 

The following are the statements and proofs of lemma 3.1 and lemma 3.2. 

Lemma 3.1. Let I be an odd prime, c £ F* . Define a map f : TLjlTL — > {0,1,-1} by 
a 1 — y ( a r c ). Then, we have 

|/- 1 (0)| = 2, \f- 1 (l)\ = (l-3)/2, \r 1 (-l)\ = (l-l)/2 */(y) = l, 

\r 1 (o)\ = o, \r\i)\ = {i-i)/2, \r i (-i)\ = (i + i)/2 = -1. 

Proof. Let X be the curve defined by y 2 — x 2 — c over F;. For any a £ F;, the cardinality 
of the set { F;-rational point of X that has first coordinate a } is /(a) + 1. Therefore, the 
following holds: 

£(/(a) + l) = LY(F ; )|. 

a6F, 

The curve X is isomorphic to the affine scheme defined by zuj — 1 over Fj, which implies 
|X(F,)| =1-1, and J^aeii /(«) = WOI - « = -1- Clearly, 

/-1(0) = {VS,-VH} if (f = 1), 
r 1 (0) = <^» if (f = 1). 

and the lemma follows easily from \f~ 1 l\+\f~ 1 {- 1 )\+\f~ 1 (°)\ = 1 and l/^WH/" 1 ^ 1 )! = 

E a&l /(«) = -!• ■ 
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Lemma 3.2. Let p and I be two distinct odd prime numbers. Let c be an integer such that 
c' _1 = 1 mod I 2 and a be an integer such that ( a ; ~ c ) = 1. We denote a square root of a 2 — c 
inZ? by Va 2 - c. If(a+^a 2 - c)^ 1 e 1+Z 2 Z;, i/ierc we have ((a+pl) + yj(a + pi) 2 - c) 1 - 1 <£ 
1 + l 2 Z t and ((a + pi) - y/ (a + pi) 2 - c)'" 1 £ 1 + Z 2 Z ; . 



Proof. By Hcnsel's lemma, there is a unique square root \/(a + x) 2 — c of (a + x) 2 — c 
in Zj[[x]] such that it's image under the morphism x ^ : Z/[[x]] — > Z; is v 'a 2 — c. Let 
h(x) := (a + x) + \/ (a + x) 2 — c, we then have 

h{pl) = h{0) + h'{0)pl modi 2 , 
where h'(0) = 1 + , °_ = . Therefore, we have 

h(pl) = fe(0)(l+ . P I) modi 2 . 
V a 2 — c 

The term ^Js_ e is not divided by l, which implies /i(pZ)' -1 ^ /i(O)' -1 mod I 2 . Hence, we 
have 

((a+ pO + ^ (a+pQ 2 -c)'- 1 
# (a + V^ 2- ^)'- 1 mod; 2 
= 1 mod I 2 . 

The fact that ((a + pi) + V '(a + pi) 2 - c)'- 1 ((a + pi) - ^{a+pl) 2 - c) 1 ' 1 = c 1 ' 1 = 1 
mod I 2 shows 

((a + pi) - y/(a + pi) 2 - c) 1 - 1 ± 1 mod I 2 . ■ 
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